Good Risk-based Policy Management Could Have Saved Facebook a Lot of Trouble
Cambridge Analytica privacy scandal anything but “Liked” by Facebook users
From 2007 to 2014, according Mark Zuckerberg’s account of the events, the Facebook platform was designed specifically to enable the sharing of personal information – birthdays, home addresses, current locations – among friends. App developers were encouraged to build “social” tools that rewarded participation and sharing. The upside: an interactive platform where behaviors and “likes” could help determine relevant information to share and an advertisers’ goldmine. The downside: a wild west of personal information sharing and selling where trust was traded for intel.
What could Facebook have done differently? Well, many things! But a significant failing seems to be in not adopting Risk-based Policy Management from the start. While the social side of the business encouraged personal information sharing and apps that facilitated this, nobody seemed to be monitoring how developers and third parties gather, use and share this personal and private information. And it’s not like good policies are hard to come by in an era of strong board governance and increasing information security risk. For example: https://www.csoonline.com/article/2124114/it-strategy/strategic-planning-erm-how-to-write-an-information-security-policy.html. These basic rules and policies should have been defined and enforced.
Facebook users should also have been informed or given the right to refuse the sharing of their personal information. And sharing the information of friends without permission should not have been allowed.
Good InfoSec/Privacy policies would also cover the destruction of information and consequences of failing to do so. So, in 2014, when Facebook discovered Aleksander Kogan was using the information for non-academic pursuits (Kogan says his profile clearly stated he was using it for commercial purposes), he should have been shut down and the content destroyed. He/it wasn’t. Good policies require certification of information destruction.
Amid this scandal, Reuters/Ipsos released a poll that said only 41 percent of Americans trust Facebook to obey US Privacy Laws. If nearly 60 percent of your market would not do business with you based on reputation alone, how would you resolve this? People are beginning to opt out of online relationships with vendors who share information with third parties. Clear, transparent corporate policies are becoming increasingly important. And when dealing with third parties, upfront due diligence, ongoing monitoring and periodic assessments are becoming the norm. When your reputation is your business, you must have strong Risk-based Policy Management. Just ask Zuckerberg… when he’s done meeting with Congress.